getACL methods are too expensive when current ACL is SYSTEM

Details

Description

There are many occasions when a long block of code is running as ACL.SYSTEM (generally anything that is not handling a HTTP or CLI request), yet permission checks (done as part of e.g. Jenkins.getAllItems) call many getACL methods on model objects, which in turn ask the AuthorizationStrategy to make a new ACL instance, which can be rather expensive in some cases, and then ask that implementation about SYSTEM, which may actually be a shortcut in the strategy but by that point a lot of work has already been done—all wasted, since SYSTEM must have full permissions regardless of strategy.

It would be better for core should ensure that Jenkins.getACL and other getACL methods calling Jenkins.getInstance().getAuthorizationStrategy().getACL(this) (AbstractItem, Computer, Job, Node, User, Cloud, View) return a proxy ACL whose hasPermission checks for SYSTEM immediately (returning true in this case), only consulting the AuthorizationStrategy for another Authentication. (The proxy ACL could even be a cached part of the model object, avoiding all object construction in this case.)

Kevin Yu
added a comment - 2017-02-01 19:07 We are currently experiencing a bottleneck with 1900+ jobs because of this issue. The UI for admin is pretty much un-usable. CPU usage and memory seems fine.

Entirely different issue, as you're not logging in as SYSTEM, but as an actual user. File a performance related issue with your chosen authorization strategy plugin (but only if stack traces show it's actually the culprit).

Daniel Beck
added a comment - 2017-02-01 20:01 Kevin Yu
The UI for admin is pretty much un-usable
Entirely different issue, as you're not logging in as SYSTEM, but as an actual user. File a performance related issue with your chosen authorization strategy plugin (but only if stack traces show it's actually the culprit).